General
-
Target
df179bfb8c1842ab29d2463ac3fb446ec977a80e420e7e6a543397d2a56a5d6c.exe
-
Size
4.9MB
-
Sample
241114-kkmy8swfrq
-
MD5
90439e356e90dd66d5f3267f8459e4c3
-
SHA1
0f499014dd8f2374db0c12773bce0348e780179e
-
SHA256
df179bfb8c1842ab29d2463ac3fb446ec977a80e420e7e6a543397d2a56a5d6c
-
SHA512
d7cd59b6e2e3419dd8fef6462c669c011404de19e9be70b82ed1f98cfc6b4fa3a228659dcaf439b06b4961cb3abb98f6aa33b847aa0f425ae4a80fa43135b9f1
-
SSDEEP
49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8g:A
Static task
static1
Behavioral task
behavioral1
Sample
df179bfb8c1842ab29d2463ac3fb446ec977a80e420e7e6a543397d2a56a5d6c.exe
Resource
win7-20240903-en
Malware Config
Extracted
colibri
1.2.0
Build1
http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php
http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
Targets
-
-
Target
df179bfb8c1842ab29d2463ac3fb446ec977a80e420e7e6a543397d2a56a5d6c.exe
-
Size
4.9MB
-
MD5
90439e356e90dd66d5f3267f8459e4c3
-
SHA1
0f499014dd8f2374db0c12773bce0348e780179e
-
SHA256
df179bfb8c1842ab29d2463ac3fb446ec977a80e420e7e6a543397d2a56a5d6c
-
SHA512
d7cd59b6e2e3419dd8fef6462c669c011404de19e9be70b82ed1f98cfc6b4fa3a228659dcaf439b06b4961cb3abb98f6aa33b847aa0f425ae4a80fa43135b9f1
-
SSDEEP
49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8g:A
-
Colibri family
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2